The use of syndrome coding in steganographic schemes tends to reduce distortion during embedding. The more complete model comes from the wet papers (J. Fridrich et al., 2005) and allow to lock positions which cannot be modified. Recently, binary BCH codes have been investigated and seem to be good candidates in this context (D. Schönfeld and A. Winkler, 2006). Here, we show that Reed-Solomon codes are twice better with respect to the number of locked positions; in fact, they are optimal. First, a simple and efficient scheme based on Lagrange interpolation is provided to achieve the optimal number of locked positions. We also consider a new and more general problem, mixing wet papers (locked positions) and simple syndrome coding (low number of changes) in order to face not only passive but also active wardens. Using list decoding techniques, we propose an efficient algorithm that enables an adaptive tradeoff between the number of locked positions and the number of changes.

Steganography aims at sending a message through a cover-medium, in an undetectable way. Undetectable means that nobody, except the intended receiver of the message, should be able to tell if the medium is carrying a message or not [1]. Hence, if we speak about still images as cover-media, the embedding should work with the smallest possible distortion, not being detectable with the quite powerful analysis tools available [2, 3]. A lot of papers have been published on this topic, and it appears that modeling the embedding and detection/extraction processes with an error correcting code point of view, usually called matrix embedding by the steganographic community, may be helpful to achieve these goals [4–15]. The main interest of this approach is that it decreases the number of components modifications during the embedding process. As a side effect, it was remarked in [8] that matrix embedding could be used to provide an effective answer to the adaptive selection channel problem. The sender can embed the messages adaptively with the cover-medium to minimize the distortion, and the receiver can extract the messages without being aware of the sender choices. A typical steganographic application is the perturbed quantization [16]; during quantization process, for example, JPEG compression, real values have to be rounded between possible quantized values ; when lies close to the middle of an interval , one can choose between and without adding too much distortion. This allows to embed messages under the condition that the receiver does not need to know which positions were modified.

It has been shown that if random codes may seem interesting for their asymptotic behavior, their use leads to solve really hard problems; syndrome decoding and covering radius computation, which are proved to be NP-complete and -complete, respectively (the complexity class includes the NP class) [17, 18]. Moreover, no efficient decoding algorithm is known, even for a small nontrivial family of codes. From a practical point of view, this implies that the related steganographic schemes are too complex to be considered as acceptable for real-life applications. Hence, it is of great interest to have a deeper look at other kinds of codes, structured codes, which are more accessible and lead to efficient decoding algorithms. In this way, some previous papers studied the Hamming code [4, 6, 9], the Simplex code [11], and binary BCH codes [12]. Here, we focus on this latter paper, that pointed out the interest in using codes with deep algebraic structures. The authors distinguish two cases, as previously introduced in [8]. The first one is classical: the embedder modifies any position of the cover-data (a vector which is extracted from the cover-medium, and processed by the encoding scheme), the only constraint being the maximum number of modifications allowed. In this case, they showed that binary BCH codes behave well, but pointed out that choosing the most appropriate code among the BCH family is quite hard, we do not know good complete syndrome decoding algorithms for BCH codes. In the second case, some positions are locked and cannot be used for embedding; this is due to the fact that modifying these positions leads to a degradation of the cover-medium that is noticeable. Hence, in order to remain undetectable, the sender restricts himself to keep these positions and lock them. This case is more realistic. The authors showed that there is a tradeoff between the number of elements that can be locked and the efficiency of the code.

This paper is organized as follows. In Section 2, we review the basic setting of coding theory used in steganography. In Section 3, we recall the syndrome coding paradigm, including wet paper codes and active warden. Section 4 presents the classical Reed-Solomon codes and gives details on the necessary tools to use them with syndrome coding, notably the Guruswami-Sudan list decoding algorithm. Section 5 leads to the core of this paper; in Section 5.1, we describe a simple algorithm to use Reed-Solomon codes in an optimal way for wet paper coding, and inSection 5.2 we describe and analyze our proposed algorithm constructed upon the Guruswami-Sudan decoding algorithm.

Before going deeper in the subject, please note that we made the choice to represent vectors as horizontal vectors. For general references to error correcting codes, we orientate the reader toward [19].

We review here a few concepts relevant to coding theory applications in steganography.

Let be the finite field with elements, being a power of some prime number. We consider -tuples over , usually referring to them as words. The classical Hamming weight of a word is the number of coordinates that is different from zero, and the Hamming distance between two words denotes the weight of their difference, that is, the number of coordinates in which they differ. We denote by the ball of radiuscentered on, that is, . Recall that the volume of a ball, that is, the number of its elements does not depend on the center , and is equal to in dimension .

A linear code is a vector subspace of for some integer , called the length of the code. The dimension of corresponds to its dimension as a vector space. Hence, a linear code of dimension contains codewords. The two main parameters of codes are their minimal distance and covering radius. The minimal distance of is the minimal Hamming distance between two distinct codewords and, since we restrict ourself to linear codes, it is the minimum weight of a nonzero codeword. The minimum distance is closely related to the error correction capacity of the code; a code of minimal distance corrects any error vector of weight at most ; that is, it is possible to recover the original codeword from any , with . On the other hand, the covering radius is the maximum distance between any word of and the set of all codewords, . A linear code of length , dimension , minimum distance and covering radius is said to be .

An important point about linear codes is their matrix description. Since a linear code is a vector space, it can be described by a set of linear equations, usually in the shape of a single matrix, called the parity check matrix . That is, for any linear code , there exists an matrix such that

(1)

An important consequence is the notion of syndrome of a word, that uniquely identifies the cosets of the code. A coset of is a set . Two remarks have to be pointed out; first, the cosets of form a partition of the ambient space ; second, for any , we have , and each coset can be identified by the value of the syndrome of its elements denoted here as .

The two main parameters and have interesting descriptions with respect to syndromes. For any word of weight at most , the coset has a unique word of weight at most . Stated differently, if the equation has a solution of weight , then it is unique. Moreover, is maximal for this property to hold. On the other hand, for element of , the equation always has a solution of weight at most . Again, is extremal with respect to this property; it is the smallest possible value for this to be true.

A decoding mapping, denoted by , associates with a syndrome a vector of Hamming weight less than or equal to , which syndrome is precisely equal to , and . For our purpose, it is not necessary that returns the vector of minimum weight. Please, remark that the effective computation of corresponds to the complete syndrome decoding problem, which is hard.

Finally, we need to construct a smaller code from a bigger one . The operation we need is called shortening; for a fixed set of coordinates , it consists in keeping all codewords of that have zeros for all positions in and then deleting these positions. Remark that if has parameters with , then the resulting code, , has length and dimension .

The behavior of a steganographic algorithm can be sketched in the following way:

(1)

a cover-medium is processed to extract a sequence of symbols , sometimes called cover-data;

(2)

is modified into to embed the message ; is sometimes called the stego-data;

(3)

modifications on are translated on the cover-medium to obtain the stego-medium.

Here, we assume that the detectability of the embedding increases with the number of symbols that must be changed to go from to (see [6, 20] for some examples of this framework).

Syndrome coding deals with this number of changes. The key idea is to use some syndrome computation to embed the message into the cover-data. In fact, such a scheme uses a linear code , more precisely its cosets, to hide . A word hides the message if lies in a particular coset of , related to . Since cosets are uniquely identified by the so-called syndromes, embedding/hiding consists exactly in searching with syndrome , close enough to .

3.1. Simple Syndrome Coding

We first set up the notation and describe properly the syndrome coding framework and its inherent problems. Let denote the cover-data and the message. We are looking for two mappings, embedding and extraction , such that

(2)

(3)

Equation (2) means that we want to recover the message in all cases; (3) means that we authorize the modification of at most coordinates in the vector .

From Section 2, it is quite easy to show that the scheme defined by

(4)

enables to embed messages of length in a cover-data of length , while modifying at most elements of the cover-data.

The parameter represents the (worst) embedding efficiency, that is, the number of embedded symbols per embedding changes in the worst case. In a similar way, one defines the average embedding efficiency, where is the average weight of the output of for uniformly distributed inputs. Here, both efficiencies are defined with respect to symbols and not bits. Linking symbols with bits is not simple, as naive solutions lead to bad results in terms of efficiency. For example, if elements of are viewed as blocks of bits, modifying a symbol roughly leads to bit flips on average and for the worst case.

3.2. Syndrome Coding with Locked Elements

A problem raised by the syndrome coding, as presented above, is that any position in the cover-data can be changed. In some cases, it is more reasonable to keep some coordinates unchanged because they would produce too big artifacts in the stego-data. This can be achieved in the following way. Let be the coordinates that must not be changed, let be the matrix obtained from by removing the corresponding columns; this matrix defines the shortened code . Let and be the corresponding encoding and decoding mappings, that is, for , and is a vector of weight at most such that its syndrome, with respect to , is . Here, is the covering radius of . Finally, let us define as the vector of such that the coordinates in are zeros and the vector obtained by removing these coordinates is precisely . Now, we have and, by definition, has zeros in coordinates lying in . Naturally, the scheme defined by

(5)

performs syndrome coding without disturbing the positions in . But, it is worth noting that for some sets , the mapping cannot be defined for all possible values of because the equation has no solution. This always happens when , since has dimension , but can also happen for smaller sets.

3.3. Syndrome Coding for an Active Warden

The previous setting focuses on distortion minimization to avoid detection by the entity inspecting the communication channel, the warden. This supposes the warden keeps a passive role, only looking at the channel. But, the warden can, in a preventive way, modify the data exchanged over the channel. To deal with this possibility, we consider that the stego-data may be modified by the warden, who can change up to of its coordinates. (In fact, we suppose that the action of the warden on the stego-medium translates onto the stego-data in such a way that at most coordinates are changed.)

This case has been addressed independently with different strategies by [21, 22]. To address it with syndrome coding, we want with . This requires that the balls are disjoint for different messages . In fact, the requirements on lead to a known generalization of error correcting codes, called centered error correcting codes (CEC codes). They are defined by an encoding mapping such that and the balls do not intersect; is precisely what we need for in the active warden setting. A decoding mapping for this centered code plays the role of .

Our problem can be reformulated as follows. Let us consider an error correcting code of dimension and length used for syndrome coding, this code having a parity check matrix ; now, let us consider a subcode of , of dimension , defined by its parity check matrix , which can be written as

(6)

The additional parity check equations given by correspond to the restriction from to . The cosets of in , that is, the sets , can be indexed in this way

(7)

The equation, , means that the word belongs to , and gives the coset of in which lies. These cosets are pairwise disjoint and their union is . The index may be identified with its binary expansion, and we can identify the embedding step with looking for a word such that

(8)

Hence, we can choose , where is a solution of , with .

3.4. A Synthetic View of Syndrome Coding for Steganography

The classical problem of syndrome coding presented in Section 3.1 can be extended in several directions, as presented in Sections 3.2 and 3.3. It is possible to merge both in one to get at the same time reduced distortion and active warden resistance. This has some impact on the parity check matrices we have to consider.

Starting from the setting of the active warden, the problem becomes to find solutions of , with the additional restriction that for . This means that we have to solve a particular instance of syndrome coding with locked elements, the syndrome has a special shape .

Reed-Solomon codes over the finite field are optimal linear codes. The narrow-sense RS codes have length and can be defined as a particular subfamily of the BCH codes. But, we prefer the alternative, and larger, definition as an evaluation code, which leads to the generalized Reed-Solomon codes (GRS codes) .

4.1. Reed-Solomon Codes as Evaluation Codes

Roughly speaking, a GRS code of length and dimension is a set of words corresponding to polynomials of degree less than evaluated over a subset of of size . More precisely, let be a subset of and define where is a polynomial over . Then, we define as

(9)

This definition, a priori, depends on the choice of the and the order of evaluation; but, as the code properties do not depend on this choice, we will only focus here on the number of and will consider an arbitrary set and order. Remark that when with a primitive element of and , we obtain the narrow-sense Reed-Solomon codes .

As we said, GRS codes are optimal since they are maximum distance separable (MDS); the minimal distance of is , which is the largest possible. On the other hand, the covering radius of is known and equal to .

Concerning the evaluation function, recall that if we consider elements of , then it is known that there is a unique polynomial of degree at most taking particular values on these elements. This means that for every in , one can find a polynomial with , such that ; moreover, is unique. With a slight abuse of notation, we write . Of course, is a linear mapping, for any polynomials and field elements .

Thus, the evaluation mapping can be represented by the matrix

(10)

If we denote by the vector consisting of the coefficients of , then . On the other hand, being nonsingular, its inverse computes from . For our purpose, it is noteworthy that the coefficients of monomials of degree at least can be easily computed from , splitting in two parts

(11)

is precisely the coefficients vector of the monomials of degree at least in . In fact, is the transpose of a parity check matrix of , since a vector is an element of the code if and only if we have . So, instead of , we write , as it is usually done.

4.2. A Polynomial View of Cosets

Now, let us look at the cosets of . A coset is a set of the type , with not in . As usual with linear codes, a coset is uniquely identified by the vector , syndrome of . In the case of GRS codes, this vector consists of the coefficients of monomials of degree at least .

4.3. Decoding Reed-Solomon Codes

4.3.1. General Case

Receiving a vector , the output of the decoding algorithm may be

(i)

a single polynomial , if it exists, such that the vector is at distance at most from (remark that if such a exists, it is unique), and nothing otherwise;

(i i) a list of all polynomials such that the vectors are at distance at most from , being an input parameter.

The second case corresponds to the so-called list decoding; an efficient algorithm for GRS codes was initially provided by [23], and was improved by [24], leading to the Guruswami-Sudan (GS) algorithm.

We just set here the outline of the GS algorithm, providing more details in the appendix. The Guruswami-Sudan algorithm uses a parameter called the interpolation multiplicity . For an input vector , the algorithm computes a special bivariate polynomial such that each couple is a root of with multiplicity . The second and last step is to compute the list of factors of , of the form , with . For a fixed , the list contains all the polynomials which are at distance at most . The maximum decoding radius is, thus, . Moreover, the overall algorithm can be performed in less than arithmetic operations over .

4.3.2. Shortened GRS Case

The Guruswami-Sudan algorithm can be used for decoding shortened GRS codes. For a fixed set of indices, we are looking for polynomials such that , for and for as many as possible. Such can be written as with . Hence, decoding the shortened code reduces to obtain such that and for as many as possible. Stated differently, it reduces to decode in , which can be done by the GS algorithm.

Our problem is the following. We have a vector of symbols of , extracted from the cover-medium, and a message . We want to modify into such that is embedded in , changing at most coordinates in .

The basic principle is to use syndrome coding with a GRS code. We use the cosets of a GRS code to embed the message, finding a vector in the proper coset, close enough to . Thus, we suppose that we have fixed , constructed the matrix whose th row is , and inverted it. In particular, we denote by the last columns of , and therefore, according to Section 4.1, is a parity-check matrix. Recall that a word embeds the message if .

To construct , we need a word such that its syndrome is ; thus, we can set , which leads to . Moreover, the Hamming weight of is precisely the number of changes we apply to go from to ; so, we need .

When is equal to the covering radius of the code corresponding to , such a vector always exists. But, explicit computation of such a vector , known as the bounded syndrome decoding problem, is proved to be NP-hard for general linear codes. Even for families of deeply structured codes, we usually do not have polynomial time (in the length ) algorithms to solve the bounded syndrome decoding problem up to the covering radius. This is precisely the problem faced by [12].

GRS codes overcome this problem in a nice fashion. It is easy to find a vector with syndrome . Let us consider the polynomial that has coefficient for the monomial , ; according to the previous section, we have . Now, finding can be done by computing a polynomial of degree less than such that for at least elements we have . With such a , the vector has at least coordinates equal to zero, and the correct syndrome value. Hence, and the challenge lies in the construction of .

It is noteworthy to remark that locking the position , that is, requiring , is equivalent to require and, thus, to ask for .

5.1. A Simple Construction of P

5.1.1. Using Lagrange Interpolation

A very simple way to construct is Lagrange interpolation. We choose coordinates and compute

(12)

where is the unique polynomial of degree at most taking values on , and on , that is,

(13)

The polynomial we obtain by this way clearly satisfies for any and, thus, can match . As pointed out earlier, since, for , we have , we also have , that is, positions in are locked.

The above proposed solution has a nice feature; by choosing , we can choose the coordinates on which and are equal, and this does not require any loss in computational complexity or embedding efficiency. This means that we can perform the syndrome decoding directly with the additional requirement of wet papers keeping unchanged the coordinates whose modifications are detectable.

5.1.2. Optimal Management of Locked Positions

We can embed elements of , changing not more than coordinates, so the embedding efficiency is equal to in the worst case. But, we can lock any positions to embed our information.

This is to be compared with [12], where binary BCH codes are used. In [12], the maximal number of locked positions, without failing to embed the message , is experimentally estimated to be . To be able to lock up to positions, it is necessary to allow a nonzero probability of nonembedding. It is also noteworthy that the average embedding efficiency decreases fast.

In fact, embedding symbols while locking symbols amongst is optimal. We said in Section 3 that locking the positions in leads to an equation , where has dimension . So, when , there exist some values for which there is no solution. On the other hand, let us suppose we have a code with parity check matrix such that for any of size , and any , this equation has a solution, that is, is invertible. This means that any submatrix of is invertible. But, it is known that this is equivalent to require the code to be MDS (see, e.g., [19, Corollary 1.4.14]), which is the case of GRS codes. Hence, GRS codes are optimal in the sense that we can lock as many positions as possible, that is, up to for a message length of .

5.2. A More Efficient Construction of P

If the number of locked positions is less than , Lagrange interpolation is not optimal since it changes positions, almost always. Unfortunately, Lagrange interpolation is unable to use the additional freedom brought by fewer locked positions.

A possible way to address this problem is to use a decoding algorithm in order to construct , that is, we try to decode . Locked positions can be dealt with as explained in Section 3.2. If it succeeds, we get a in the ball centered on of radius , where is the decoding radius of the decoding algorithm. Here, the Guruswami-Sudan algorithm helps; it provides a large , that is, greater chances of success, and outputs a list of which allows to choose the best one with respect to some additional constraints on undetectability. In case of a decoding failure, we can add a new locked position and retry. If we already have locked positions, we fall back on Lagrange interpolation.

5.2.1. Algorithm Description

We start with the "while loop" of the algorithm. So suppose that we have a set of positions to lock. Let be the Lagrange interpolation polynomial for , that is, for all . Thus, we can write with . We perform a GS decoding on in , that is, we compute the list of polynomials such that and

(14)

for at least values , where is the decoding radius of the GS algorithm, which depends on and . If the decoding is successful, then has zeros on positions in and is equal to for at least positions . Pick up such that the distortion induced by is as low as possible. Remark that here is equal to .

The full algorithm (see Algorithm 1) is simply a while loop on the previous procedure, at the end of which, in case of a decoding failure, we add a new position to . Before commenting the algorithm, let us describe the three external procedures that we use:

(i)

the procedure outputs a polynomial such that for all and ;

(ii) the procedure refers to the Guruswami-Sudan list decoding (Section 4.3.1). For the sake of simplicity, we just write for the output list of the GS decoding of , with respect to . So, this procedure returns a good approximation of , on the evaluation set, of degree less than ;

(iii) the procedure returns an integer from the set given as a parameter. This procedure is used to choose the new position to lock before retrying list decoding.

Lines 1 to 5 of the algorithm depicted in Algorithm 1 simply do the setup for the while loop. The while loop, Lines 6 to 12, tries to use list decoding to construct a good solution, as described above. Remark that if all GS decodings fail, we have with is equal to polynomial of Section 5.1, that is, we just fall back on Lagrange interpolation. Lines 13 to 16 use the result of the while loop in case of a decoding success, according to the details given above.

Correctness of this algorithm follows from the fact that through the whole algorithm we have and for . Termination is clear since each iteration of the Loop 6-12 increases .

5.2.2. Algorithm Analysis

The most important property of embedding algorithms is the number of changes introduced during the embedding. Let be the average number of such changes when GRS is used and positions are locked. For our algorithm, this quantity depends on two parameters related to the Guruswami-Sudan algorithm:

Algorithm 1: Algorithm for embedding with locked positions using a code ( fixed). It embeds symbols with up to locked positions and at most changes.

Inputs:, the cover-data

, symbols to hide

, set of coordinates to remain unchanged,

Output:, the stego-data

(; , ; )

(1)

(2)

(3)

(4)

(5)

(6)

while and do

(7)

(8)

(9)

(10)

(11)

(12) end while

(1 3) ifthen

(14)

(15)

(16) end if

(17)

(18) return

(i)

the probability that the list decoding of a word in outputs a nonempty list of codewords in GRS ;

(ii)

the average distance between the closest codewords in the (nonempty) list and the word to decode.

We denote by the probability of an empty list and for conciseness let ,. Thus, the probability that the first list decodings fail and the th succeeds can be written as with and . Remark that in this case, coordinates are changed on average.

Now, the average number of changes required to perform the embedding can be expressed by the following formula:

(15)

(a)

Estimating and

To (upper) estimate , we proceed as follows. Let be the random variable equal to the size of the output list of the decoding algorithm. The Markov inequality yields , where denotes the expectation of . But, is the probability that the list is nonempty and, thus, . Now, is the average number of elements in the output list, but this is exactly the average number of codewords in a Hamming ball of radius . Unfortunately, no adequate information can be found in the literature to properly estimate it; the only paper studying a similar quantity is [25], but it cannot be used for our . So, we set

(16)

where is the volume of a ball of radius . This would be the correct value if GRS codes were random codes over of length , with codewords uniformly drawn from . That is, we estimate as if GRS codes were random codes. Thus, we use to upper estimate .

The second parameter we need is , the average number of changes required when the list is nonempty. We consider that the closest codeword is uniformly distributed over the ball of radius and, therefore, we have

(17)

(b)

Estimating The Average Number of Changes

Using our previous estimations for and , we plotted in Figure 1 (), Figure 2 (), Figure 3 (). For each figure, we set and plotted for several values of .

Remember that and that when , our algorithm simply uses Lagrange interpolation, which leads to the maximum number of changes, that is, . On the other side, when , our algorithm tries to use Guruswami-Sudan algorithm as much as possible. Therefore, our algorithm improves upon the simpler Lagrange interpolation when

(18)

is large. A second criterion to estimate the performance is the slope of the plotted curves, the slighter, the better.

With this in mind, looking at Figure 1, we can see that provides good performances; , which means that list decoding avoids up to of the changes required by Lagrange interpolation, and on the other hand, the slope is nearly when . For higher embedding rate, all values of less than have .

In Figure 2, for . In Figure 3, for , except for . Remark that , the slope is nearly 0 for , which means that we can lock about half the coordinates and still have of improvement with respect to Lagrange interpolation.

Figure 1

Average number of changes with respect to the number of locked positions for. Only curves with are plotted.

Figure 2

Average number of changes with respect to the number of locked positions for. Only curves with are plotted.

Figure 3

Average number of changes with respect to the number of locked positions for. Only curves with are plotted.

We have shown in this paper that Reed-Solomon codes are good candidates for designing efficient steganographic schemes. They enable to mix wet papers (locked positions) and simple syndrome coding (small number of changes) in order to face not only passive but also active wardens. If we compare them to the previous studied codes, as binary BCH codes, Reed-Solomon codes improve the management of locked positions during embedding, hence ensuring a better management of the distortion; they are able to lock twice the number of positions. Moreover, they are optimal in the sense that they enable to lock the maximal number of positions. We first provide an efficient way to do it through Lagrange interpolation. We then propose a new algorithm based on Guruswami-Sudan list decoding, which is slower but provides an adaptive tradeoff between the number of locked positions and the average number of changes.

In order to use them in real applications, several issues still have to be addressed. First, we need to choose an appropriate measure to properly estimate the distortion induced at the medium level when modifying the symbols at the data level. Second, we need to use a nonbinary, and preferably large, alphabet. A straightforward way to deal with this would be to simply regroup bits to obtain symbols of our alphabet and consider that a symbol should be locked if it contains a bit that should be. Unfortunately, it would lead to a large number of locked symbols (e.g., of locked bits leads to up to of locked symbols if we use ). A better way would be to use grid coloring [26], keeping a -to- ratio. But, the price to this -to- ratio would be a cut in payload. We think a good solution has yet to be figured out. Nevertheless, in some settings, a large alphabet arises naturally; for example, in [14], a (binary) wet paper code is used on the syndromes of a Hamming code, some of these syndromes being locked; here, since whole syndromes are locked, we can view syndromes as elements of the larger field and use our proposal. Third, no efficient implementation of the Guruswami-Sudan list decoding algorithm is available. And, as the involved mathematical problems are really tricky, only a specialist can perform a real efficient one. Today, these three issues remain open.

Acknowledgments

Dr. C. Fontaine is supported (in part) by the European Commission through the IST Programme under Contract IST-2002-507932 ECRYPT and by the French National Agency for Research under Contract ANR-RIAM ESTIVALE. The authors are in debt to Daniel Augot for numerous comments on this work, in particular for pointing out the adaptation of the Guruswami-Sudan algorithm to shortened GRS used in the embedding algorithm.

Appendix

Guruswami-Sudan Algorithm

We provide here the core of the Guruswami-Sudan algorithm, without deep details on (important) algorithms that are required to achieve a good complexity (the interested reader may refer to [19, 24, 25]).

A.1. Description

Recall we have a vector and we want to find all polynomials such that is at distance at most from , and . We construct a bivariate polynomial over such that for all at distance at most from . Then, we compute all from a factorization of .

First, let us define what is called the multiplicity of a zero for bivariate polynomial: has a zero of multiplicity if and only if the coefficients of the monomials in are equal to zero for all with . This leads to linear equations in the coefficients of . Writing , then with

(A1)

Since a multiplicity in is exactly for , and we have values of and such that , we have the right number of equations.

The principle is to use the linear equations in the coefficients of , obtained by requiring to be a zero of with multiplicity for . Solving this system leads to the bivariate polynomial , but, to be sure our system has a solution, we need more unknowns than equations. To address this point, we impose a special shape on . For a fixed integer , we set with the restriction that . Thus, has at most

(A2)

coefficients. Choosing such that guarantees to have nonzero solutions. Of course, since degrees of must be nonnegative integers, we have .

On the other hand, under the conditions we imposed on , one can prove that for all polynomials of degree less than and at distance at most from , divides . Detailed analysis of the parameters shows it is always possible to take less than or equal to

(A3)

(see [19, Chapter 5]). Thus, we have the formula , which leads to the maximum radius for large enough.

A.2. Complexity

Using in (A.2), there are linear equations with roughly unknowns. Solving these equations with fast general linear algebra can be done in less than arithmetic operations over (see [27, Chapter 12]).

Finding the factor can be achieved in a simple way, considering an extension of of order . A (univariate) polynomial over of degree less than can be uniquely represented by an element of and, under this representation, to find factors of is equivalent to find factors of , that is, to compute factorization of a univariate polynomial of degree over which can be done in at most operations over , neglecting logarithmic factors (see [27, Chapter 14]).

The global cost of this basic approach is heavily dominated by the linear algebra part in with a particularly large degree in . It is possible to perform the Guruswami-Sudan algorithm at a cheaper cost, still in , with less naive algorithms. Complete details can be found in [25].

To sum up, Guruswami-Sudan decoding algorithm finds polynomials of degree at most and at distance at most from using simple linear algebra and factorization of univariate polynomial over a finite field for a cost in less than arithmetic operations in . This can be reduced to with dedicated algorithms.

This article is published under license to BioMed Central Ltd. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.